資料庫是現代資訊處理中很重要的一個環節。 舉凡商業公司的顧客以及商品資訊、政府的戶役政資料以及教育統計，以至於利用搜尋引擎查找網頁資訊、線上字典等；可以說只要是大量的數據處理，就脫離不了資料庫的使用。資料庫除了可以作為內部的資訊處理，還常常會在提供資料的查詢或更改時派上用場。例如線上論壇為了讓會員設定密碼、頭像等，就需要作出能讓使用者上傳資訊的表單。 現今的程式對資料庫的查詢與更改，最常用的是結構化查詢語言（Structured Query Language, 以下簡稱SQL）。程式設計時我們會將使用者的輸入經過整理後，用SQL來對資料庫下指令，藉以獲得所需的資訊。SQL雖然好用，但是過於強大的功能也造成了誤用時的危險；SQL Injection就是其中之一。試想大考或教師甄試時若資料庫為人所竄改的後果，即足以使人冷汗直流。本文分析常見的SQL Injection手法，並提出可行的預防方式。在最後，則對SQL Injection此一機制作整體性的建議。 ; Database is an important part in modern information processing. We need database to deal with information of customers, goods, household data and education statistics, ever though search engine in finding varied information. It can say that we can't process large number of data without divorced from the use of the database. In addition to the internal information processing, database can be optimized in the work to search or modify data as well. For example, an online forum that allows members to set passwords or portraits needs a form to upload data. When needing query and modify database, the most common way to use is SQL. We often organize user's input, and then compose the SQL command to get the target data. SQL is powerful, but its features also cause the danger of misuse; SQL Injection is one of them. Just imagine if someone tamper the database of College Entrance Examination or teacher admission test, how serious it well! This paper analyzes the common SQL Injection tactics, and possible solutions. In the end, this paper makes an overall viewpoint to prevent from misusing of SQL Injection.